Project Grey Goose: smart grid cyber security

The Project Grey Goose investigation was launched on 16 October 2009 to answer the question of whether there have been any successful hacker attacks against the power grid, both domestically in the United States and internationally. The key findings are particularly relevant now as smart grid research and development ramps up, with the expectation that network attacks against the bulk power grid will almost certainly escalate steadily in frequency and sophistication over the next 12 months.

The US bulk power grid is a system of synchronised power providers and consumers connected by transmission and distribution lines and operated by one or more control centres.

The Energy Policy Act 2005 gave the Federal Energy Regulatory Commission (FERC) the power to require the power industry to designate an electric reliability organisation (ERO), which would then develop standards for all of the owner/operators of the bulk power system and submit them to FERC for approval. Once approved, the ERO would enforce them under FERC’s oversight.

FERC chose the North America Electric Reliability Council (NERC) for the role of ERO, which, in 2006, submitted 107 proposed standards for approval. In March 2007 FERC approved 83 of these grouped into eight critical infrastructure protection (CIP) standards and after a review and commenting period, issued a final set of CIPs on 17 January 2008 with a three-year implementation period.

The eight CIP reliability standards address the following topics:

Critical cyber asset identification

Security management controls

Personnel and training

Electronic security perimeters

Physical security of critical cyber assets

Systems security management

Incident reporting and response planning, and

Recovery plans for critical cyber assets.

As the implementation period grows shorter, owner/operators and their vendors are struggling to make sense of CIP regulations which are more like guidelines, and voluminous NIST guidance that runs to over 1,200 pages.

SECURITY WEAKNESSES IN THE SMART GRID 100 smart grid projects distributed across 49 states have been funded by federal grants and industry contributions equaling about $8 billion. The bulk of the funding will go to the purchase of hardware allowing for remote load shifting during peak and non-peak times as well as the wireless communication of data collected from an estimated 18 million smart meters. The positive benefits of investing in smart grid technology are laudable; however the rush to implement this technology before serious vulnerabilities are addressed and patched serves to make the grid more vulnerable to cyber attacks. The following is a brief survey of documented vulnerabilities in smart grid technology by three different SCADA security experts.

Making a secure smart grid a reality (1) “Most alarming is that ‘worm-able’ code execution on standard smart meters has been achieved. The smart meter’s chipset used for radio communication is publicly available in a developer kit format, and the radio interface’s lack of authentication can be leveraged to produce a worm. If an attacker installed a malicious program on one meter, the internal firmware could issue commands to flash adjacent meters until all devices within an area were infected with the malicious firmware.

“Once the worm has spread to the meters, the attacker gains several abilities including:

Connecting and disconnecting customers at predetermined times

Changing metering data and calibration constants

Changing the meter’s communication frequency

Rendering the meter non-functional.

“If a truly malicious worm were to infect meters in a given area, there would be a best and a worst case scenario. Under the best case scenario, the utility would simply push a firmware update across the standard wireless network to all the affected meters, overwrite the worm, and return the meters to normal operation. This assumes the attacker had not damaged the remote flashing capabilities, changed the frequency on which the meter operates, or changed the calibration of the meter.

“Unfortunately, during malicious attacks the worst-case scenario is more likely to be true. In this case, the normal wireless update mechanisms would no longer be intact, or the calibration of the meters would have been changed. If meters supported remote disconnect capability they could be instructed to simultaneously or individually disconnect service to customers’ homes. To return power to affected homes, the utility would need to take time to understand the vulnerability and develop a patch. Then the utility would need to physically repair or replace each meter to return it to normal operation. Restoring power to homes would likely be an expensive and long process, detrimental to the utility and frustrating to the customers.”

The dark side of the smart grid: Smart meters (in)security (2) This white paper by Israeli security company C4, which specialises in performing penetration tests against SCADA systems and military C4I systems, among others, identifies several attack vectors against smart grid technology, one of which is “Lack of Authentication”:

1.3 Lack of Authentication C4 Security has encountered numerous meters that didn’t have any authentication or encryption support. This design flaw makes it possible for an attacker to impersonate the control center and send unauthorized commands to meters or read metering data. The consequence of a successful attack on meters with disconnection capabilities is particularly destructive.

“It should be noted that although some of the metering protocols support encryption, which can be viewed as a network access password, most of the deployments we’ve encountered so far did not enable these features. Since every metering standard includes support for “no encryption” or ‘no authentication’, it usually poses too great a temptation for the integration teams which prefer to choose these settings in order to avoid additional deployment problems.”

Low level design vulnerabilities in wireless control systems hardware (3) “This paper demonstrates the relevance of common control systems communications hardware vulnerabilities that lead to direct control systems compromise. The paper describes several enabling vulnerabilities exploitable by an attacker, the design principles that cause them to arise, the economic and electronic design constraints that restrict their defense, and ideas for vulnerability avoidance. Topics include design induced vulnerabilities such as the extraction and modification of communications device firmware, man-in-the-middle attacks between chips of a communications devices, circumvention of protection measures, bus snooping, and other attacks. Specific examples are identified in this report, ranked by attack feasibility. Each attack was investigated against actual IEEE 802.15.4 radio architectures.”

Goodspeed was also the principal researcher in discovering a pseudo random number generator (PRNG) flaw that could allow attackers to bypass the encryption of Texas Instruments’s Z-stack software for microcontrollers used in smart grid devices. Texas Instruments just announced that it has begun working on a patch (4).

SECURITY INCIDENTS The following is a list of network attacks against private and state-owned utilities which provide electricity to the national and international grid. This information has come from publicly available sources and/or through interviews with industry experts who in some cases have requested confidentiality. In a few instances, attacks against water utilities are included since they are also part of critical infrastructure and they use process control (SCADA) software.

12 November 2009: Brazil. A hacker gained access to the corporate network of the Operador Nacional do Sistema Eletrico (ONS), Brazil’s national system operator responsible for controlling the transmission of electricity as well as the operation of generation facilities throughout the nation. However, the hacker stopped short of accessing the ONS’s operational network.

10 November 2009: Brazil. At 22:13 local time, the Itaipu Dam which supplies 20% of the electricity for Brazil and all of the electricity for Paraguay suddenly shut down. The ONS placed the blame on bad weather, however according to Instituto Nacional de Pesquisas technicians no electrical charge had hit the power lines at Itaipu dam on that evening. A government investigation is pending.

1 October 2009: Australia. A virus compromised about 1,000 computers at Integral Energy but it impacted business systems only. No outage resulted.

?/2009: US. A cyber attack against a US utility company’s process control system resulted in a plant shutdown. The date, location, and name of utility were not disclosed to this investigation.

19 April 2009: US. On 19 April at 23:00 NRG Texas Power LLC’s corporate IT monitoring system identified a high number of failed attempts to log into corporate computers, which emanated from a plant computer at one of the utilities generating stations. This same event was again detected at 00:30 on 20 April, emanating from a different plant computer at the same generating facility. The computers in question were isolated from the corporate network and virus scans on the computers were performed, which indicated that they had been infected with a virus. The affected computers do not have control authority for power control systems, and as such, could not be utilised to control the units or to trip them off-line, so it is felt that these incidents could not affect the electric power system. The investigation is on-going.

23 May 2008: Russian Federation. Hackers attacked nuclear power websites that provided information on background radiation levels while issuing false rumours of a nuclear accident at the Leningrad Nuclear Power Plant near St Petersburg, according to officials with Rosatom Nuclear Energy State Corporation.

26-27 September 2007: Brazil. A two day outage affecting 3 million people was the result of an attack by hackers according to a 60 Minutes episode airing on 6 November 2009. The show referred to a rare public statement by CIA senior analyst Tom Donahoe at a SANS conference in January 2008, who did not name the affected country or city. The Brazilian government disputes the claim, and based on its investigation it placed the blame on sooty insulators.

27 July 2007: US. At 05:05 there was a failure of computer hardware used for monitoring at Tennessee Valley Authority (SERC).

?/2007: US. An intruder installed unauthorised software and damaged the computer used to divert water from the Sacramento River at Willows, CA.

9 October 2006: US. A hacker gained control of a computer which controlled critical systems at a Harrisburg, PA water treatment plant through an employee’s laptop. A spokesman from WaterISAC said it was the fourth attack on a water system in 4 years. In one of those cases, the hacker left a message: “I enter in your server like you in Iraq.”

19 August 2006: US. Unit 3 of Tennessee Valley Authority’s Brown’s Ferry nuclear power plant went into a shutdown after two water recirculation pumps failed. An investigation found that the controllers for the pumps locked up due to a flood of computer data traffic on the plant’s internal control system network. The GAO found that TVA’s internet-connected corporate network was linked with systems used to control power production, and that security weaknesses pervasive in the corporate side could be used by attackers to manipulate or destroy vital control systems. The agency also warned that computers on TVA’s corporate network lacked security software updates and anti-virus protection, and that firewalls and intrusion detection systems on the network were easily bypassed and failed to record suspicious activity.

?/January 2005: Brazil. A cyber attack knocked out power in three cities north of Rio de Janeiro, affecting tens of thousands of people.

?/2005: US. The gauges at the Sauk Water Storage Dam read differently from the gauges at the dam’s remote monitoring station, causing a catastrophic failure that released one billion gallons of water.

7-8 May 2001: US. Power outages impacted 400,000 California households. The California Independent System Operator (ISO), which is responsible for the purchasing and distribution of power, had two Solaris web servers hacked and the hackers active in their network from 25 April to 11 May.